On Saturday, November 10, 2012 09:26:26 AM Richard W.M. Jones wrote: > On Sat, Nov 10, 2012 at 02:33:53AM +0100, Kevin Kofler wrote: > > Matthew Miller wrote: > > > Apparently the new version of polkit brings in javascript. The js > > > package > > > is 6.5MB. I think anything that uses polkit will depend on it -- can we > > > remove it from core? > > > > Of course, the real question is why the heck PolicyKit needs a Turing- > > complete rule language (which also forced everyone to port their existing > > rules) when the previously-used simple INI-style pkla rule format did the > > job just fine! > > And Unix groups worked OK before that (and still do for the majority > of purposes).
Another problem is how would we do SCAP configuration checks when the language will allow 20 different ways to do the same thing? We might be able to do a SHA256 has of the js. Which means you've completely lost any ability to modify the behaviour. In an ini file, we could pick out the lines that were important and check them only allowing other settings we don't care about to change. Additionally, access control decisions should be audited. There are no libaudit bindings for javascript. -Steve -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
